search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.24k stars 568 forks source link

CIRA support flagged for security vulnerabilities #3910

Closed superbam closed 2 years ago

superbam commented 2 years ago

Hello, I'm running into an issue with CIRA support. During an external Qualys scan port 4433 was flagged for the following:

TLS 1.0 and 1.1 support is disabled on the OS so it leads me to believe the CIRA service is introducing this. Is it possible for CIRA to work without TLS 1.0 and 1.1? Can the other issues be fixed?

PathfinderNetworks commented 2 years ago

I just ran a Qualys Labs SSL scan against my own mesh server and am seeing none of this. Mine gets an A+ overall and is showing only TLS 1.3 and 1.2 are active.
Do you happen to have a reverse proxy or anything else out in front of your MeshCentral server? I do not. If you do, then that is what is causing these issues.

superbam commented 2 years ago

No reverse proxy in front of it. A scan of port 443 comes back looking great but a scan of port 4433 looks less great. Here is the output of name --script ssl-enum-chiphers: PORT STATE SERVICE 4433/tcp open vop | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBCSHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | least strength: A

PathfinderNetworks commented 2 years ago

Wow, so yes. You are right. When I scan port 4433 specifically I do see the same issues in regards to the TLS levels. Not good! On port 4433 I also see TLS 1.0, 1.1, and 1.2 in use and available. 1.3 is not available.
I'm definitely no expert on AMT and CIRA. But I wonder if these deprecated TLS versions need to be there to support old versions of AMT? Like you, I would definitely prefer they not be available.

Ylianst commented 2 years ago

Ha yes. MeshCentral will only accept TLS 1.2 and 1.3 on port 443, but will accept older TLS versions on port 4433. This is because older Intel AMT versions that are still deployed do not support TLS 1.2 or TLS 1.3. I will look in the code, I may have a switch to make the MPS port 4433 just as secure as port 443. If not, I will add a switch for this.. but expect that some Intel AMT devices will no longer be able to connect.

Ylianst commented 2 years ago

Note that if you don't use the Intel AMT MPS (CIRA server) on port 4433, you can turn it off by adding the following line in the "settings" section of the config.json:

"mpsport": 0
Ylianst commented 2 years ago

Just added a new option in the settings section of the config.json:

"mpsHighSecurity": true

This will have the MPS server on default port 4433 only accept TLS 1.2 and 1.3 connections, as a result, older Intel AMT devices will not be able to connect. I have not testing this much, so I am not sure what the full impact will be.

This will be in MeshCentral v1.0.12.

superbam commented 2 years ago

Thank you for fixing this so quickly.

Tested and confirmed that TLS 1.0 and 1.1 are gone.

The change doesn't seem to bother AMT versions 11+. Confirmed that it breaks CIRA on AMT version 10.0.60, so likely anything 10 and below.